Everything You Need to Know About Keychain in macOS Sierra

Keychain is a password management system for macOS and iOS that was originally released with Mac OS 8.6 back in 1999 as a way of holding passwords, private keys, certificates and secure notes in encrypted files on the machine. Since then, Keychain has expanded to Apple’s mobile devices and synchronizes keychain files between devices through iCloud. This Tech 101 article explains the functions of Keychain in macOS Sierra as well as how to access and edit Keychain files.

What Does Keychain Store?
Keychains were originally developed in the early 1990s for use with an Apple email system called PowerTalk. The idea was that PowerTalk could communicate with many mail servers and online services, so it would use a keychain file to hold user authentication information within the application to automatically and securely log the user into the variety of services. With the creation and release of Mac OS X in the early 2000s, Keychain became part of the operating system and was used to hold much more information.

Keychain can hold passwords for websites, web forms, FTP servers, SSH accounts, network shares, Wi-Fi networks, groupware apps, encrypted disk images and more. The passwords are dynamically linked to a particular user’s login password, so that when the user logs into a Mac, all of the various accounts and passwords are made available to the operating system and select applications. Keychain also manages root certificates, keys, and secure notes.

Where Can The Keychain Files Be Found On My Mac?
Under macOS Sierra, the keychain files are stored in ~/Library/Keychains, /Library/Keychains/ and /Network/Library/Keychains/. These files are viewed and edited through an application called Keychain Access, found in the Utilities folder in the Applications folder. There’s also a command line equivalent to Keychain Access: /usr/bin/security .

These keychain files store several data fields including a title, URL, notes and password. While the title, URL and some other fields are plaintext, the passwords and Secure Notes are encrypted with Triple DES.

Common keychains include login, iCloud, System and System Roots. The login keychain is unlocked upon login, while the other keychains can be unlocked by clicking on their icons in Keychain Access, clicking on the “lock” icon, and then entering the administrative password for the Mac.

What Can I Use Keychain Access For?
Since it holds a lot of important information, the Keychain Access app should be used sparingly. However, it’s a useful place to recover passwords that you may have forgotten, get details on secure certificates, and to keep secure notes that you don’t want anyone to see.

Keychain Access app

(Keychain Access app)

In the screenshot seen above, I’ve launched Keychain Access and I’m currently looking at the unlocked login keychain. It shows a number of application, network, internet and web form passwords; public and private keys used to encrypt/decrypt messages, and certificates.

Let’s say that there’s a password that I’ve totally forgotten and haven’t stored somewhere else, like in a third-party password management application. For this example, I’ve misplaced my password for an old ftp server, so I scroll through the list until I find an entry for ftp.im4macs.com that is tagged as “Internet password”. Double-clicking the entry, the following window appears:

Attributes window for the ftp server password

(Attributes window for the ftp server password)

See the field at the bottom that says “Show password”? Check the box next to it, and a dialog appears asking for the login keychain password — that’s going to be the password you use to log into your Mac. Type it in, then click “Allow”, and the password becomes visible in the field next to the checkbox:

The Attributes window now revealing the password

(The Attributes window now revealing the password)

If I’d like to create a new password for that ftp site (of course, I’d have to change it on the ftp server as well), clicking the key icon at the far right of the password field displays the Password Assistant, which can be used to create new and very difficult to break passwords. Here, I’ve told it to create a “memorable” password of 20 characters length:

The Password Assistant in Keychain Access

(The Password Assistant in Keychain Access)

Twenty characters is pretty long, and it has suggested “burro7:astrophysical” as a password. Clicking the Save Changes button in the Attributes window saves the newly-generated password.

One other common use of Keychain Access is to create secure notes. Of course, you can also create password-protected notes in the Notes application on Mac and iOS, but people know to look in Notes for “notes”. Not many people would think of looking in the Keychain Access utility for secure notes.

To create a secure note, click the item marked “Secure notes” under Category in the left sidebar of the Keychain Access window, then click the + sign at the bottom of the window. Type in a name for the Keychain Item, type in your note (see image below), and then click Add to store it as an encrypted secure note in your login keychain.

A Secure Note in Keychain Access

(A Secure Note in Keychain Access)

As part of our ongoing series on macOS Server, I’ve discussed the need to have certificates issued in order to secure your server. That can be done with Keychain Access. Although the process involved is rather detailed and beyond the scope of this post, note that by going to the Keychain Access menu and selecting Certificate Assistant, it’s possible to create certificates for yourself and for others (see image below):

The Certificate Assistant in Keychain Access

(The Certificate Assistant in Keychain Access)

What About That iCloud Keychain?
If you use use iCloud Keychain to synchronize passwords between all of the Apple devices you have tied to one iCloud account, then you can use Keychain Access to see what those passwords are by clicking on the iCloud item under “Keychains” in the left sidebar, then going through the process described earlier in this post to reveal a forgotten password.

Want to see the same information on an iOS device? There’s no Keychain Access utility for iOS, but just launch Settings, scroll down to Safari, then tap on Passwords. You’ll need to use Touch ID or your passcode to obtain access, but the next thing you’ll see is a list of websites for which you have stored passwords (see image below):

Safari passwords in iCloud keychain

(Safari passwords in iCloud keychain on an iOS device)

Tapping any one of those entries reveals a page showing the user name used on the website, the password, and the original website URL.

A Word Of Warning
Since Keychain contains so many passwords, encryption keys, certificates, and more, it’s not something that should be played with without a lot of respect. Don’t delete any entries unless you really know what they’re used for, don’t delete full keychains, and if you’re asked to verify any changes, think twice before committing to them.


LEAVE A COMMENT


  • my mac requires additional logins after I get to desktop. They require my old pwd. It asks for pwd for local.* … These are in effect items Apple no longer uses ..This was fixed at one point but updates brought it back ..




  • I’ve been a Mac user for many years and the Keychain utility has been a regular problem, often randomly but frequently during system updates. Once or twice a year some of the keychain icons would be greyed out or have a blank icon and were not accessible. Sometimes a restore would solve the issue but often not. Sometimes a time consuming manual rebuild was needed.

    Some years ago due to the number of entries I began creating separate keychains to keep software activation keys and website credentials. The intention was to not mess with the default keychain. The problem persisted.

    Recently I moved all my personal keychain items (software activation keys, website credentials, etc) to a non Apple solution. Things are much better now.




  • My keychain automatically creates numerous items.
    Is this behavior due to my use with FireFox as a browser?




  • I purchased a used Mac from OWC, made no changes to Keychain, always declining to add info to Keychain, I’m trying to understand it first. When I inspect my Keychain there are many entries. Those from Apple I’ll keep, others I don’t understand and I’m not sure if I should delete them. I’ve searched and can’t find a website that explains the purpose of non Apple Keychain entries. I need to either find out what the non Apple entries are, or what could happen if I delete all the non Apple entries. Websites state to inspect the entry, but the information is so general I still do not understand where it came from or its purpose.




  • On an earlier MAC I had Microsoft Office 2004. Using Entourage I frequently got a message “Entourage wants to use your Keychain”. I did not know what that meant, but always checked No. Why would Entourage want access to my Keychain?




    • Hi, Harold –

      Microsoft usually gets a bad rap from Mac owners, although they have pretty much always followed Apple’s guidelines to the letter — even sometimes more than Apple. I may be wrong, but I think that Entourage was probably asking for Keychain permission in order to save email server passwords in the Keychain. Had you answered “yes” once, you might not have seen that message again. Now apps are usually better written and ask for that permission up front when the software is initially installed.

      THanks for reading (and for commenting!),

      Steve




  • … and can you comment on which approaches are likely to be usable across all of Mac/iphone/ipad?




  • Interesting tutorial! However there are a number of choices for storing data in encrypted format, such as 1Password or Paranoia Text Encryption. Can you comment on the relative merits of different approaches?




  • Why would one want to use Apple Keychain if they use a 3rd Party Password system like “1Password”.




    • A couple of reasons, Don. Some people don’t want to pay the subscription fee for 1Password, so the built-in Apple Keychain that’s usable in many situations across devices is a perfect — and free — example. In addition, many newbies don’t know about 1Password and similar apps/services, so Keychain is about the only service they might use. For those who DO use 1Password, Keychain is a good backup for those passwords and often auto-fills info much faster than 1Password will…